team-alpha/railsgoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'master' of github.com:OWASP/railsgoat

Browse Source
This commit is contained in:
cktricky
2013-11-14 15:05:14 -05:00
parent 53dcc75f74 0075ca7a9c
commit 810c086130
5 changed files with 7 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Gemfile
+1 -1
View File
@@ -2,7 +2,7 @@ source 'https://rubygems.org'
#don't upgrade
gem 'rails', '3.2.11'
gem 'rack', '1.4.3'
gem 'rack', '1.4.0'
# Bundle edge Rails instead:
# gem 'rails', :git => 'git://github.com/rails/rails.git'
Gemfile.lock
+2 -2
View File
@@ -167,7 +167,7 @@ GEM
coderay (~> 1.0)
method_source (~> 0.8)
slop (~> 3.4)
rack (1.4.3)
rack (1.4.0)
rack-cache (1.2)
rack (>= 0.4)
rack-livereload (0.3.15)
@@ -293,7 +293,7 @@ DEPENDENCIES
poltergeist
powder
pry
rack (= 1.4.3)
rack (= 1.4.0)
rack-livereload
rails (= 3.2.11)
rb-fsevent
app/views/layouts/tutorial/access_control/_access_control_first.html.erb
+2 -2
View File
@@ -66,13 +66,13 @@
</p>
<p><b>Failure to Restrict URL Access - SOLUTION</b></p>
<p class="desc">
The code is already available to restrict access to the admin controller by role within app/controllers/application_controller.rb. The additional condition that if the admin_id param equals 1 means the filter can be circumvented by an attacker. The way to fix this issue is to enforce the filter on all access requests to the admin dashboard as follows:
The code is already available to restrict access to the admin controller by role within app/controllers/application_controller.rb. The additional condition that if the admin_id param equals 1 means the filter can be circumvented by an attacker. The way to fix this issue is to remove the conditional and enforce the filter on all access requests to the admin dashboard as follows:
</p>
<pre class="ruby">
<%= %q{
class AdminController < ApplicationController
before_filter :administrative, :if => :admin_param
before_filter :administrative
} %>
</pre>
</div>
app/views/layouts/tutorial/misconfig/_misconfig_first.html.erb
+1 -1
View File
@@ -1,7 +1,7 @@
<div class="widget">
<div class="widget-header">
<div class="title">
<span class="fs1" aria-hidden="true" data-icon="&#xe092;"></span> A6 - Security Misconfiguration
<span class="fs1" aria-hidden="true" data-icon="&#xe092;"></span> A5 - Security Misconfiguration
</div>
</div>
<div class="widget-body">
app/views/layouts/tutorial/misconfig/_misconfig_second.html.erb
+1 -1
View File
@@ -1,7 +1,7 @@
<div class="widget">
<div class="widget-header">
<div class="title">
<span class="fs1" aria-hidden="true" data-icon="&#xe092;"></span> A6 - Security Misconfiguration
<span class="fs1" aria-hidden="true" data-icon="&#xe092;"></span> A5 - Security Misconfiguration
</div>
</div>
<div class="widget-body">